I get the shellcode from the Flash exploit as it's provided as a hex-encoded string starting with "90909090" (NOP):
Shellcode2Exe to be able to step through it in OllyDbg.
Taking the step into shellcode
Loading it up in Olly, it will start with a loop which decodes the payload URL using XOR as seen below. The key can be found by inspecting ESI when first hitting the loop and the encoded data can be found by inspecting EDI.
The shellcode uses URLDownloadToCacheFileA to download the payload. Should the payload be successfully downloaded, it will be opened with CreateFileA and read with ReadFile into memory allocated using VirtualAlloc.
After reading the file it will be decrypted using RC4 cipher with a key defined in the shellcode. I recommend reading the post from VRT on how to recognize RC4 when debugging. This is the function found in the shellcode:
At this point it's possible to let the shellcode run until CloseHandle is called and the decoded payload has been written back to disk or write a script for decoding the payload extracted from the PCAP. A small implementation of the RC4 cipher can be found here (Python).
What is the most interesting thing about the shellcode is that it carries more functionality than isn't used. The shellcode is used to download one payload, but the shellcode supports multiple payloads.
After calling CreateProcessA, the shellcode will step through the recently used URL looking for the end of the string (0x00), and comparing the next byte with "!" (0x21). If it's true, the shellcode will end otherwise it will start over with a new payload.
An example of URL-list would look like this:
Conclusion of sorts
RIGs shellcode have the capability to download and execute multiple payloads which are encrypted using RC4 (5 byte key). The URL-list is encoded using XOR (5 byte key).
API-calls used in the shellcode (in order of first call):
You can find the hex-encoded shellcode on [pastebin].